magic-nix-cache icon indicating copy to clipboard operation
magic-nix-cache copied to clipboard
verified publisher icon DeterminateSystems

Switch to secure packages

Open lucperkins opened this issue 3 months ago β€’ 2 comments

Summary by CodeRabbit

  • Chores

    • Linux CI runners upgraded to Ubuntu 24.04 and checkout action bumped to the latest major version across workflows.
    • macOS build targets removed from CI and release pipelines.
    • Build configuration source references updated and supported platforms reduced.
    • README examples updated to reflect the new checkout action version.

  • New Features

    • Consolidated artifact retrieval into a reusable workflow step to persist prebuilt artifacts per platform.

lucperkins avatar Nov 12 '25 21:11 lucperkins

Walkthrough

Introduce a local composite action to download and persist prebuilt cache artifacts; replace per-platform download/copy steps with that action across release workflows; upgrade multiple GitHub Actions checkout usages to v5; change x86_64-linux runner to ubuntu-24.04; remove macOS entries from CI matrices and supportedSystems; update nixpkgs source.

Changes

Cohort / File(s) Summary
Build CI matrix
/.github/workflows/build.yaml		 Change x86_64-linux runner from ubuntu-22.04 to ubuntu-24.04; remove x86_64-darwin matrix entry and macOS runner; upgrade checkout to actions/checkout@v5.
Release workflows
/.github/workflows/release-branches.yml, /.github/workflows/release-prs.yml, /.github/workflows/release-tags.yml		 Replace explicit per-platform actions/download-artifact + cp sequences with calls to the local composite action at /.github/actions/download-persist (inputs: arch, os); update actions/checkout to @v5; remove older copy steps.
Other workflows
/.github/workflows/check-and-test.yaml, /.github/workflows/flakehub.yaml, /.github/workflows/update-flake-lock.yaml, /.github/workflows/*		 Upgrade actions/checkout from v4 β†’ v5 in multiple workflows; update actions/download-artifact versions and adjust YAML formatting/permissions where present.
Local composite action
/.github/actions/download-persist.yaml		 Add composite action that downloads magic-nix-cache-${{ inputs.arch }}-${{ inputs.os }} and copies magic-nix-cache.closure.xz into artifacts/${{ inputs.arch }}-${{ inputs.os }}.
Nix flake
flake.nix		 Update nixpkgs input/source to DeterminateSystems/secure/0; remove x86_64-darwin from supportedSystems.
Documentation
README.md		 Update examples referencing actions/checkout@v4 β†’ actions/checkout@v5.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Workflow as Release Workflow
    participant LocalAction as ./.github/actions/download-persist
    participant GHStore as GitHub Artifact Store
    participant FS as Artifacts Directory

    Note over Workflow,LocalAction: New single-call flow per platform
    Workflow->>LocalAction: invoke(inputs: arch, os)
    LocalAction->>GHStore: download "magic-nix-cache-${arch}-${os}"
    GHStore-->>LocalAction: artifact archive
    LocalAction->>FS: copy magic-nix-cache.closure.xz β†’ artifacts/${arch}-${os}
    LocalAction-->>Workflow: completed

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Review focus:
    • /.github/actions/download-persist.yaml β€” verify artifact naming, downloaded path, and destination copy.
    • /.github/workflows/release-*.yml β€” confirm each arch/os invocation and artifact directory usage.
    • flake.nix β€” validate nixpkgs input and removal of x86_64-darwin for remaining platform-specific logic.
    • CI matrix changes in build.yaml and check-and-test.yaml β€” ensure runner/version alignment and no leftover macOS references.

Poem

🐰 I hopped through workflows, tidy and quick,
fetching caches with one gentle trick.
Ubuntu leapt forward, macOS stepped away,
flakes rearranged for a lighter day.
A rabbit's patch β€” snug, swift, and slick.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'Switch to secure packages' is vague and does not accurately reflect the main changes in the PR, which involve removing macOS support, updating GitHub Actions versions, and refactoring workflows. Consider a more specific title that captures the primary change, such as 'Update GitHub Actions, remove macOS support, and refactor workflows' or focus on the most significant change if consolidating is preferred.
βœ… Passed checks (2 passed)
Check name Status Explanation
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage βœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
πŸ§ͺ Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
  • [ ] Commit unit tests in branch secure-packages
πŸ“œ Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 2514963948e7598cc8fbccc5133ca0250bf3f7e1 and 723a225cd9af4ee771a37f6703c3a73e00e8cc93.

πŸ“’ Files selected for processing (1)
  • .github/workflows/check-and-test.yaml (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Nix and Rust checks
πŸ”‡ Additional comments (2)
.github/workflows/check-and-test.yaml (2)

11-11: PR objectives appear incomplete.

The PR objectives state "change x86_64-linux runner to ubuntu-24.04" and "remove macOS entries from CI matrices," but the code still contains:

  • Line 11: ubuntu-22.04 (checks job)
  • Line 51: ubuntu-22.04 (action-integration-test X64-Linux)
  • Line 55: macos-latest-xlarge (action-integration-test ARM64-macOS)

Verify whether these lines should be updated to align with the PR objectives, or if the objectives need to be clarified.

Also applies to: 51-51, 55-55

16-16: Verify actions compatibility; download-artifact@v6 has behavioral breaking changes.

  • actions/checkout@v5 moves to Node 24 and requires GitHub Actions runner v2.327.1 or newer; verify self-hosted runners if in use.
  • actions/download-artifact@v6 changes path extraction for downloads by artifact ID, extracting directly to the target path instead of nested under the artifact name. Review downstream steps to ensure this output path change is compatible.
  • actions/download-artifact@v6 disables fork searching by default (security patch). If your workflow relies on cross-fork artifact retrieval, add search-owner options to maintain earlier behavior.

Also applies to: 60-60, 63-63

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Nov 12 '25 21:11 coderabbitai[bot]

CI still says there's pending checks for x86_64-darwin

RossComputerGuy avatar Nov 13 '25 16:11 RossComputerGuy